Opened 6 years ago
Closed 6 years ago
#1616 closed defect (wontfix)
ssl_preread_alpn_protocols not safe
| Reported by: | James Callahan | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.15.x |
| Keywords: | ssl_preread | Cc: | |
| uname -a: | |||
| nginx -V: | N/A | ||
Description
ssl_preread_alpn_protocols is a comma separated list of ALPNs proposed by a client.
However an ALPN is allowed to contain a comma. This makes it impossible to safely know if a client proposed a given ALPN.
Change History (2)
comment:2 by , 6 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Currently there is no convenient way in nginx to check if a given value is present in a list of values. This is why we came up with the comma-separated list. As mentioned above, it is unlikely that there will be any issue with that in real life since no protocols are defined which have a comma in name.
Another example is the openssl s_client command line tool which expects -alpn argument value as a comma-separated list as well.
Note:
See TracTickets
for help on using tickets.
Just a note, that in the current IANA "ExtensionType Values" registry of TLS ALPN Protocol IDs [1] there are no such values.
[1] https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids